axspawn-pam 0.2.1a

**************************************************************************
****************************** IMPORTANT NOTICE **************************
**************************************************************************
This version of axspawn-pam is the result of trying to build a version of
axspawn-pam that compiles with modern libs. I (Michael - dik342 -
icarus@dabo.de) found two different versions of this program. The version
0.1, made by Joerg Reuter (dl1bke) to be found under
and the version 0.2,
with additional programming by Luis Yanes (eb7gwl) downloadable under
. He added MD5-support.
Both versions didn't neither compile with modern AX25-libs, nor worked
together with the openssl-lib. Additionally there was a lack of
documentation (still exist ;-)) and (what's more worse) the little bit of
documentation seemed to be partially wrong.
By now I only tested, if a login based on the baybox-method and md5 will
work. It does. ;-) (tested with LinKT). I didn't tested other methods, and I
didn't tested "axpasswd". I also need to take a look at the
auto-create-user-option. I guess it's better to not use it at this moment.
;-)
Since I'm making packet radio over CB (that's legal in germany), I added a
new feature in the callcheck-module, so that a cb-user only needs to add a
word to use the program. (I hope it's legal, if not, please inform me about
that).
The following lines are a mixture of Joerg's words with additional comments
from Luis (eb7gwl) spiced with my own comments. I'm to lazy to make a
notice, where i changed something. If you are interested, just make a "diff"
between this version and the original one. ;-)
BTW: If you wonder about my callsign, dik342, it is no ham callsign, it's a
registered CB-callsign from germany, where it's legal to make packet with
CB.
And just some little disclaimer: I'm no real C-programmer. I'm just a little
guy who can read C and likes to program in other languages like pascal or
php. So please don't ask me about adding a feature or so, since I guess, I
won't be able to do so. ;-)
**************************************************************************
==========================================================================
= THIS IS THE LIBPAM VERSION OF AXSPAWN! =
==========================================================================
To run this program you'll need the Linux PAM (Plugable Authentication
Modules) library, available from ftp.redhat.com. For more information
about Linux PAM read http://www.redhat.com/linux-info/pam/
==========================================================================
This is my first try on a Linux PAM library based implementation of
axspawn. It is in early alpha stage and I'd like to hear your
(yes: YOUR!) comments, suggestions, bug reports and security concerns.
USE AT YOUR OWN RISK!
Please note that I am not going to answer general PAM configuration
questions. Linux PAM comes with a great amount of documentation,
you will find it on RedHat's web server, the Linux PAM homepage
and probably in /usr/doc/pam-*/html/ on your HD.
Files:
======
axspawn.c
Axspawn, just like the old one but with PAM support ;-)
axpasswd.c
like unix passwd with PAM support and packet style ;-)
Supports ARC4 encrypted password, and MD2, MD5, SHA1,
RIPEMD160 or ARC4 verification.
pam_ax_autoacc.c
Module to automagically create accounts for new users.
pam_ax_callchk.c
Module that checks for a valid amateur radio callsign and
adds the callsign to the UID/callsign mapping of
the kernel AX.25.
pam_ax_tn_auth.c
TheNet/F6FBB BBS/Baycom BBS style password module.
pam_ax_passwd.c
TPK (and others) style password module. Support for MD2, MD5,
RIPEMD160, SHA1 and ARC4. You will need the crypto libraries.
pam_ax_tools.c
Functions common to the pam_ax modules.
common.c
More functions common to the pam_ax modules.
contrib/pam_motd.c
Prints /etc/motd or other file on login, can substitute
meta-variables. See source for details.
contrib/pam_mail.c
This one was missing from the PAM package I got with
RedHat Linux, I've included it here.
Makefile
README
Copyright
INSTALL
=======
To install and build this program you will need the following additional
packages:
- openssl (tested with 0.9.6)
- libax (tested with 0.0.7)
You need to copy the following files from the openssl-package:
- global.h
- md2c.c, md2.h
- md5c.c, md5.h
- rmd_one.c, rmd_locl.h, rmdconst.h, ripemd.h, rmd_dgst.c
- rc4.c, rc4.h
- md32_common.h
- sha.h, sha1dgst.c, sha1_one.c, sha_locl.h
To get usable files for rc4 you have got to take a look at the file rrc4.doc
and extract them from there. I don't know if it's illegal or not, sorry.
The following file need to be copied from the libax25-package:
- axutil.o
Next action: type "make" and if that would be completed (I'm not really
convinced about that) you could type "make install"
If you want to use pam_motd or pam_mail you have got to type the same
commands in the "contrib" directory.
You can use the old configuration file for axspawn (axspawn.conf),
it is recommended to move the file to /etc/security/ though.
MD2 ???
=======
/*
* Request : I'd like to add the existing MD2 extension to this
* password scheme. However the free use of the algorithm
* and implementation is limited to internet mail by RSA.
* This clashes with GNU GPL and doesn't even allow us
* to use it for authentication via Packet Radio. The MD5
* algorithm is free though. Comments, suggestions?
*/
Some packet terminal programs support either or both MD2 and MD5. Although
there is support for MD2, MD5, SHA1, RIPEMD160 and ARC4, none of these crypto
libraries widely availables are included with this package. If you want to use
them must get them yourself. (Some MD2 and MD5 libraries define all functions
without underscore like MD5Init or MD2Init. If you have one of these, rename
them to MD5_Init (MD5_Update, MD5_Final ...) or MD2_Init (MD2_Update ...)
TPK only uses MD2, giving an hex encoded reply to the password request.
PAM CONFIG
==========
Add to /etc/pam.conf:
axspawn auth required /lib/security/pam_ax_callchk.so
axspawn auth required /lib/security/pam_ax_autoacc.so
axspawn auth required /lib/security/pam_ax_tn_auth.so md2_pass md5_pass arc4_pass sha1_pass DL1BKE
axspawn auth optional /lib/security/pam_motd.so subst /etc/motd.ax25
axapawn auth optional /lib/security/pam_mail.so
axspawn account required /lib/security/pam_unix_acct.so
axspawn session required /lib/security/pam_unix_session.so
axpasswd auth required /lib/security/pam_pwdb.so shadow nullok
axpasswd auth required /lib/security/pam_ax_callchk.so
axpasswd account required /lib/security/pam_pwdb.so
axpasswd account required /lib/security/pam_ax_callchk.so
axpasswd password required /lib/security/pam_ax_passwd.so md2_pass md5_pass arc4_pass sha1_pass EB7GWL
If you have got the directory /etc/pam.d/ create a file named "axspawn"
with the following content:
auth required /lib/security/pam_ax_callchk.so
auth required /lib/security/pam_ax_autoacc.so
auth required /lib/security/pam_ax_tn_auth.so md2_pass md5_pass arc4_pass sha1_pass DL1BKE
auth optional /lib/security/pam_motd.so subst /etc/motd.ax25
auth optional /lib/security/pam_mail.so
account required /lib/security/pam_unix_acct.so
session required /lib/security/pam_unix_session.so
And another file "axpasswd" with the following content:
(You can add all the authentication methods to pam_ax_passwd.so if you wish.
The first valid will be used).
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_ax_callchk.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_ax_callchk.so
password required /lib/security/pam_ax_passwd.so md2_pass md5_pass arc4_pass sha1_pass EB7GWL
CONFIGURATION
=============
To make the login methods work, every user need to have a file called
".tnauth" in his home directory. This file must have the right "-rw-------"
(readable anf changeable only to the owner). This file holds the password in
a single line with no blanks. Minimum length is 10 characters. Example:
zhad:~ # cat .tnauth
thisismyveryownandveryprivatepassphrasethatiwouldneversharewithanybody
zhad:~ #
The pam-modules are having the following options:
pam_ax_autoacc.so
-----------------
* debug - prints more or less helpful infos to the syslog
pam_ax_callchk.so
-----------------
* debug - prints more or less helpful infos to the syslog
* cb - enables callcheck in "CB-style" (only checking for the existance of
numbers and digits. No length check by now)
pam_ax_passwd.so
----------------
* debug - same as above
* no_warn - doesn't check passphrase length and rights of the .tnauth-file
* md2_pass - use MD2 method for passphrase
* md5_pass - use MD5 method for passphrase
* arc4_pass - use ARC4 method for passphrase
* rmd160_pass - use RIPEMD160 method for passphrase (doesn't work by now)
* sha1_pass - use SHA1 method for passphrase
If more than one *-pass-parameter is present, the system automatically is
chosing the right one.
If none of the *_pass parameters are present, the baybox method is used for
login.
The last parameter is the callsign that should be prompted (look at the
pam-config above and you will understand what I mean)
pam_ax_tn_auth.so
-----------------
* debug - same as above
* no_warn - doesn't check passphrase length and rights of the .tnauth-file
* md2_pass - use MD2 method for passphrase
* md5_pass - use MD5 method for passphrase
* arc4_pass - use ARC4 method for passphrase
* rmd160_pass - use RIPEMD160 method for passphrase (doesn't work by now)
* sha1_pass - use SHA1 method for passphrase
If more than one *-pass-parameter is present, the system automatically is
chosing the right one.
If none of the *_pass parameters are present, the baybox method is used for
login.
The last parameter is the callsign that should be prompted (look at the
pam-config above and you will understand what I mean)
contrib/pam_mail.so
-------------------
* debug
* dir=maildir
* close
* nopen
* noenv
* empty
Don't ask me, what these options are doing, I've got to take a look at the
source to do that. I guess this module checks for mail.
contrib/pam_motd.so
-------------------
* subst - substitute variables:
$u = user
$n = name
$t = time (UTC)
$T = local time
$d = date (UTC), ISO format (DD.MM.YYYY)
$D = local date
$a = date (UTC), American format (YYYY/MM/DD)
$A = local date
$h = remote host
$r = remote user
$$ = "$"
* - use as MOTD file, expands ~/ to user's home directory
TODO
====
* Checking for buffer overruns
DONE * Better passphrase algorithm (MD2/MD5 based), see above
* Write documentation
* Find the bugs
* Check how to incorporate the passphrase algorithm into FTP/POP3/IMAP4
I'd rather see a SSH based login for the TCP services, though.
TODO (dik342)
=============
* RMD doesn't work at this moment, I had some trouble with openssl
* CB-callcheck should include a length-check
* Sourcecode needs to be documented
* Auto-accounting doesn't include adding a line to the shadow-file
* haven't tested axpasswd by now
* contacting possible maintainers for this package since I'm not good in C
CHANGELOG
=========
0.2.1-dl1bke-eb7gwl-mv
----------------------
- Initial release
0.2.1a-dl1bke-eb7gwl-dik342
---------------------------
- Some little changes in the documentation since I've now got a registered
callsign
- I've added some code in axspawn.c to avoid a possible buffer overflow.
vy 73,
Joerg Reuter ampr-net: dl1bke@db0pra.ampr.org
Internet: jreuter@poboxes.com
www : http://www.rat.de/jr/
Michael Vogel Internet: icarus@dabo.de
www : http://www.dabo.de